Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Read More

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects loading of known malicious drivers via their hash.

Read More

Detects loading of known malicious drivers via the file name of the drivers.

Read More

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Read More

Detects loading of known vulnerable drivers via their hash.

Read More

Detects the load of known vulnerable drivers via the file name of the drivers.

Read More

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Read More

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

Read More

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Read More

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

Read More

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Read More

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Read More

Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detection of unusual child processes by different system processes

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Detects certificate creation with template allowing risk permission subject

Read More

Detects certificate creation with template allowing risk permission subject and risky EKU

Read More

An attacker can use the SID history attribute to gain additional privileges.

Read More

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Read More

Detects possible suspicious glue development endpoint activity.

Read More

Detects AWS root account usage

Read More

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects global permissions change activity.

Read More

Detects buffer overflow attempts in Unix system log files

Read More

Bypasses User Account Control using a fileless method

Read More

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Read More

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Read More

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Read More

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Read More

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Read More

Monitor and alert for changes to the device registration policy.

Read More

Detects when changes are made to PIM roles

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Read More

Detects the creation of a named pipe as used by CobaltStrike

Read More

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Read More

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects the ld.so preload persistence file. See man ld.so for more information.

Read More

Detects blocked load attempts of revoked drivers

Read More

Detects blocked image load events with revoked certificates by code integrity.

Read More

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Read More

Detects block events for files that are disallowed by code integrity for protected processes

Read More

Detects image load events with revoked certificates by code integrity.

Read More

Detects the load of a revoked kernel driver

Read More

Detects loaded kernel modules that did not meet the WHQL signing requirements.

Read More

Detects loaded unsigned image on the system

Read More

Detects the presence of a loaded unsigned kernel module on the system.

Read More

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More

Detects the default "UserName" used by the DiagTrackEoP POC

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects a driver load from a temporary directory

Read More

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More

Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM

Read More

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

Read More

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Read More

Detects the use of CoercedPotato, a tool for privilege escalation

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Read More

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Read More

Detects some Empire PowerShell UAC bypass methods

Read More

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More

Detects creation of default named pipes used by the Koh tool

Read More

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Read More

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More

Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.

Read More

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Read More

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Read More

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects an interactive AT job, which may be used as a form of privilege escalation.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Read More

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Read More

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Read More

Detects when a Kubernetes Rolebinding is created or modified.

Read More

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Detects the creation of doas.conf file in linux host platform.

Read More

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Read More

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Read More

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Read More

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Read More

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Read More

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Read More

Detects the creation of a named pipe seen used by known APTs or malware.

Read More

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Read More

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Read More

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Read More

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Detects creation of a new service (kernel driver) with the type "kernel"

Read More

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Read More

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Read More

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Read More

Detects the creation of a new service using powershell.

Read More

Detects the creation of a new service using the "sc.exe" utility.

Read More

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Read More

Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects value modification of registry key containing path to binary used as screensaver.

Read More

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

Read More

Detects when PIM alerts are set to disabled.

Read More

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Read More

Detects command line parameter very often used with coin miners

Read More

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Read More

Detects potential DLL sideloading of "7za.dll"

Read More

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Read More

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Read More

Detects potential DLL sideloading of "appverifUI.dll"

Read More

Detects potential DLL sideloading of "AVKkid.dll"

Read More

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Read More

Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par

Read More

Detects potential DLL sideloading of "CCleanerDU.dll"

Read More

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Read More

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Read More

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

Read More

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

Read More

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Read More

Detects DLL sideloading of "dbgcore.dll"

Read More

Detects potential DLL sideloading of "dbghelp.dll"

Read More

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Read More

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Read More

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects potential DLL sideloading of "EACore.dll"

Read More

Detects potential DLL sideloading of "edputil.dll"

Read More

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Read More

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Read More

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Read More

Detect when System Manager successfully executes commands against an instance.

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

Read More

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Read More

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Read More

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Read More

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Read More